On Mon, 09 Jun 2003, ted klugman wrote: > Our IDS has been reporting some large ICMP packets on > our internal network. Our internal network is a > Windows2000 domain -- servers and clients. > > - Packet size is always 2090 bytes > - Almost always sent from a client or member server to > one of the two boxes running Active Directory > - The ping payload itself is actually a JPEG of the > Microsoft logo. This JPEG can actually be found inside > userenv.dll. > > I googled for any details, and I see that others have > run into this before. However, there were no answers, > just questions. See these two links for identical > packets: > > http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html > > http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.html Sorry for the lengthy quote. I remember seeing that debian-security thread when it appeared. Somewhat further down the thread there was a third URL given, with not much new information but just unanswered questions - much like you have noticed. <URL: http://www.wfu.edu/~steinsj5/work/icmp.html> > Anyone else seen these? Any idea what's causing them? > Is this 'normal' behavior on a W2K network? Considering that this is, if somewhat hazily, documented behaviour one would be tempted to say it is indeed 'normal.' I'm far from being any kind of authority but I have my personal guess. Apparently w32 boxes ping their domain controller regularly. Not all of the packets contain the encapsulated image data, so whoever wrote this, wanted to behaviour to be at least somewhat inconsistent. My guess is that the programmer or programmers in question had some extra time and inserted an easter egg. If these funny packets are indeed part of license tracking mechanism, perhaps the combined effort of blocking oversized pings and then profiling the ICMP traffic immediately afterwards would help to provide some kind of answer? I can imagine four things happening. 1. Nothing, the packets would be considered lost. (I don't know what the timeouts for not successfully pinging domain controller might be.) 2. Some kind of log event implicating that these packets are indeed expected part of the protocol. 3. A resend with a regular ping, which in turn would show that some extra thought had been used. Quite likely to accommodate normal network functionality even with stricter traffic policies. 4. A resend with image-ping. This oversized ping is part of the protocol, or the author(s) for some reason expect a reply to specific ICMP messages. Anyone care to test and document the behaviour? (I don't have access to network setups where these could be verified.) -- Mika Boström +358-50-410-9042 \-/ "The Hell is empty, Bostikat_private www.lut.fi/~bostik X and all the devils Security freak, and proud of it. /-\ are here." -W.S.
This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 13:37:04 PDT